All of the key-servers I visit are timing out. I need to install packages without checking the signatures of the public keys. Is there a way to bypass all the signature checks/ignore all of the signature errors or fool apt into thinking the signature passed?

4 Answers
4

--allow-unauthenticated
Ignore if packages can't be authenticated and don't prompt about it. This is useful for tools like pbuilder. Configuration Item:
APT::Get::AllowUnauthenticated.

You can make this setting permanent by using your own config file at /etc/apt/apt.conf.d/ dir. The filename can be 99myown and it may contain this line:

APT::Get::AllowUnauthenticated "true";

In this way, you don't need to use the option every time you want to install software. Note: I do not recommend setting this option by default, it bypasses signature checks that could allow an adversary to compromise your computer.

If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.

The below script is not recommended if you can install the keys from a keyserver or download them from a trusted source via https, but if you don't have ANY other way, you can use this.

echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list
sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update
## if the 'apt update' above fails it is likely due to previously
## having the GPG key and repository on the system, you can clean
## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`
apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname
## If you ever run `sudo apt-key del your-repos-keyID`
## you may have to `sudo apt remove --purge repo-keyring-pkgname`
## Update should run without the GPG warnings now that the key is installed
apt-get update
apt-get install somepkg-from-repo

I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.